Is Android ready for the Enterprise?

Currently in version 2.3.4 at the time of writing, Android offers high levels of user-customisation, social networking integration and a 'desktop-like' mobile browsing experience. The platform is very attractive to consumers...but is the operating system ready for the Enterprise?

What is meant by an 'Enterprise-ready' operating system? Ideally the platform should offer the features required by a mobile user as well as conform to the security policy defined by the IT department.

Features

• Wireless access to corporate (Microsoft Exchange or Lotus Domino) email, contacts and calendar information, ideally updated via 'push' with no user-interaction required. All information exchanges between the device and the server should be secure. Access should preferably be available via both cellular and WiFi connections.
• Support for Virtual Private Networking (VPN) infrastructure enabling access to internal corporate applications and network resources
• Optionally, the device may need to be integrated with the corporate IP PBX providing free calls over WiFi when in the office between internal extensions, and landline-to-landline call charges for landline numbers.
• The ability to create and edit office documents
• Access to corporate instant messaging / chat systems

Security

Providing remote access to sensitive corporate applications and information inherently comes with security risks: should the device be lost or stolen how do you prevent unauthorised access?

• An enterprise-ready platform should at the very least offer the administrator the ability to remotely wipe a device that has been reported lost or stolen by the user: or even the ability for the user to initiate a wipe themselves via a web browser as soon as they realise the device has been lost.
• It should also be possible to remotely apply a password usage policy to the device, so that users must enter a password on the device to unlock it, and the device should lock itself automatically after a period of inactivity. In the event that a password is incorrectly entered on the device x number of times in succession, the device should be able to wipe itself automatically.
• For ease of setup, enterprise-ready devices can have the necessary configuration settings for Internet access (both cellular and WiFi access points), email and VPN deployed remotely over the air, with little to no user interaction.
• Optionally, the platform should also support the ability to remotely enforce a corporate usage policy, enabling the administrator to remotely disable user access to certain hardware and software elements such as the camera, MMS, Bluetooth, etc. The ability for the user to install applications on the device, other than those expressly approved by the administrator, should also be configurable remotely.

Although it is fashionable to knock Microsoft products, and whilst it is true that the platform does look 'clunky' now compared to Android and the iPhone, it can't be denied that Windows Mobile 6.5 does address most of the above security concerns and device management functionality is included as part of the Exchange 2007 product, enabling the administrator to remotely wipe devices, enforce a password usage policy, enable and disable hardware and software elements as well as create application white- and blacklists.
Nokia's E and N Symbian S60 platform also natively supports the OMA-CP and OMA-DM protocols when used in conjunction with a suitable DM server product.
For more information on the DM functionality of Windows Mobile and Exchange as well as more powerful third-party DM solutions, read this article - http://blog.brightpointuk.co.uk/choosing-device-management-solution-q3-2010

So how does Android stack up?

Features

• Exchange Email - Android 2.3 features native Exchange support, with the ability to configure multiple concurrent Exchange email accounts, optionally displayed in a unified Inbox, colour-coded by account.
  Full mailbox access is possible, including subfolders. Signature and out of office settings can also be edited directly from the device. For more information on the Exchange capabilities of Android 2.3 read this article - http://blog.brightpointuk.co.uk/quick-look-android-23s-exchange-support

  

• VPN support - Android 1.6 (Donut) brought with it support for PPTP and L2TP VPN protocols, but a "proper" IPSec VPN client is still not available as standard - http://blog.brightpointuk.co.uk/adding-vpn-connections-android-16-donut

  

• VoIP - Android 2.3.3 features a built-in SIP-based VoIP client that allows you to configure your device as a wireless extension of your corporate telephone system, both when in the office and when working remotely provided that your telephone system can be configured correctly. This allows workers to still use their mobile when in the office, but not pay mobile call charges and importantly not pay to speak to other people in the office. For more information on how to configure the SIP client on Android read this article - http://blog.brightpointuk.co.uk/setting-htc-desire-s-wireless-extension-...
• Document Editing - Android offers the ability to view common documents formats as standard, including word documents, spreadsheets, presentations and PDF documents. In order to be able to create and edit documents, current HTC and Motorola devices ship with the Polaris Office or QuickOffice suites that provide this functionality. A wide range of applications is also available to purchase from the Android Market, such as DataViz Documents To Go.
• Instant Messaging - Android supports Google's Talk service as standard, and there are a wide range of messaging clients available including Skype and Viber. At the time of writing there is no support for Microsoft Office Communicator / Lync server, however.

Security

• Open Source - Android is an open source platform based on the Linux kernel. As such it can be argued that whilst the open source project does mean a wealth of third party applications, it does also provide access to discover and exploit security vulnerabilities in the platform.

  One approach Google has taken when developing the Android platform is known as "application-sandboxing": all applications must state what hardware resources and file locations they require access to, and only those areas will be permitted by the operating system. It is not possible to alter these once installed without at least requiring approval by the user. This approval is requested during the initial installation and can be viewed at any point within the Applications setting menu:

  

  Android does also require that applications be signed before they can be installed, however the platform does not require that the certificate used to sign the application be 'root-trusted', therefore any old certificate can be used, rendering the feature fairly pointless, and the feature can be disabled altogether by the user:

  

• Remote Device Wipe - If a device has been configured to synchronise with an Exchange server, that device can be remotely wiped either by the Exchange administrator or by the users themselves in the event that it is lost or stolen. The remote wipe process can be launched within Outlook Web Access from any web browser.
  Android devices can also be remotely wiped by the administrator of a Google Apps domain if GMail is being used as the email platform.
  Also a number of manufacturers, including HTC (HTCSense.com) and Motorola (MotoBLUR), offer web-based device management portals to end users that allow for devices to be remotely locked and wiped from a web browser.
• Password Usage - If an Android device is configured to synchronise with an Exchange server, then use of a password can be enforced on that device as part of the Exchange ActiveSync policy. The required complexity of the password can also be specified.
  HTC and Motorola Android devices also support password history policies, so that users are required to choose new passwords each time their current password expires.
  Google Apps also supports password usage enforcement.

  It is also worth noting that Android supports the use of hand gestures as a form of unlocking a device, which can be used in addition to an alphanumeric password:

  

• Corporate Usage Policy - It is not possible to remotely enable or disable hardware or software elements on the Android platform at the time of writing via Exchange ActiveSync, however Google Apps administrators can disable the camera on connected Android devices - http://blog.brightpointuk.co.uk/google-apps-device-policy-android.

  There are a number of device management solutions available for Android, including Soti MobiControl and 3LM. Follow the links for more information on the capabilities of these platforms.

Conclusion

Android offers a high level of customisation and personalisation options as well as a wide range of multimedia and social networking features that appeal to consumers. For businesses that need to support employee-owned phones but enforce a level of security to safeguard company assets and information that may be accessed from the phone, Android offers a number of security measures as standard including password usage enforcement and remote device wipe (and with Android 3.0 on-device data encryption).
With the use of a third-party device management solution such as Soti MobiControl or 3LM, it is further possible to remotely deliver required applications, and blacklist those applications you do not wish users to install.
3LM further offers the ability to establish a secure VPN tunnel back to the office to access corporate LOB applications. Follow the links contained in this article to find out more, or call Brightpoint on 0870 849 0225 to speak to an expert.